External risk intelligence

F5 BIG-IP Systems Vulnerable to Remote Code Execution and Denial of Service

CVE advisoryKnown Exploit

CVE-2021-22991

Certain F5 BIG-IP systems are affected by a vulnerability that can lead to denial-of-service or bypass of access controls. This may impact system availability and data integrity. The risk to business operations is heightened as this vulnerability can be exploited remotely.

5Halo Surface Signal

Memory Corruption

F5 Big Ip Access Policy Manager

12.1.0 to before 12.1.5.313.1.0 to before 13.1.3.614.1.0 to before 14.1.415.1.0 to before 15.1.2.116.0.0 to before 16.0.1.1

External exposure likelihood

Halo Surface Signal score for CVE-2021-22991

This vulnerability affects F5 BIG-IP systems, which are enterprise-grade network appliances designed specifically to act as internet-facing gateways, load balancers, and edge service controllers. These devices are intentionally deployed at the edge of networks to process and handle public-facing traffic, making the vulnerable service directly reachable from the internet by design.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Certain versions of F5 BIG-IP systems may incorrectly handle specific requests directed to a virtual server. This handling error can lead to a buffer overflow, potentially allowing attackers to bypass access controls or execute unauthorized code. Such an exploit could compromise system integrity and data confidentiality.

  • Vulnerable F5 BIG-IP systems.
  • Buffer overflow in request handling.
  • Unauthorized code execution and access bypass.

Attack Path

How an attacker could exploit the issue

Exploitation of this vulnerability occurs when specific requests are sent to a virtual server, which are then mishandled by the Traffic Management Microkernel. This handling can lead to a buffer overflow, potentially enabling an attacker to bypass URL-based access controls or execute remote code. The vulnerability affects several versions of the BIG-IP product line.

  • External network exposure required.
  • Unauthenticated attacker gains access.
  • Malicious requests trigger overflow.
  • Attacker gains control.

Live Threat

Current exploitation, exposure, and threat context

Exploitation of this vulnerability could allow unauthorized access to systems, potentially leading to data breaches or denial-of-service attacks. The vulnerability exists within the Traffic Management Microkernel (TMM) of F5 BIG-IP systems, which are designed to manage network traffic and act as internet-facing gateways. Successful exploitation could bypass URL-based access controls and enable remote code execution, posing a significant business risk.

  • Attackers with low skill level.
  • No specific access or conditions needed.
  • High business risk; treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The organization should proactively address potential impacts stemming from the described vulnerability in F5 BIG-IP systems. This vulnerability, which may lead to denial-of-service conditions, bypass of access controls, or remote code execution, presents a significant risk to affected systems and the data they manage. Addressing this issue involves a structured approach to identify, mitigate, and remediate the exposure, thereby strengthening the overall security posture.

  • Identify all exposed F5 BIG-IP assets.
  • Reduce exposure or isolate affected systems.
  • Apply vendor fixes and validate.
  • Monitor for related activity.

Frequently asked questions

What is F5 BIG-IP and what is it used for?

F5 BIG-IP is a suite of network devices that manage, secure, and optimize application traffic. It's used for tasks like load balancing, ensuring applications are available, and protecting against online threats. Many organizations use BIG-IP to handle traffic entering and leaving their networks.

What kind of vulnerability does CVE-2021-22991 describe?

CVE-2021-22991 describes a buffer overflow vulnerability (CWE-119). This means that sending specific requests to a vulnerable BIG-IP system can cause its Traffic Management Microkernel (TMM) to process data incorrectly, potentially leading to a denial of service or even allowing an attacker to bypass access controls or execute code remotely.

How can an attacker exploit this vulnerability?

An attacker can exploit this vulnerability by sending specially crafted requests to a BIG-IP virtual server. The vulnerability exists in how the Traffic Management Microkernel (TMM) handles URI normalization. It is not triggered by normal network traffic or by users interacting with the application behind BIG-IP.

Who should be concerned about CVE-2021-22991?

Organizations using F5 BIG-IP systems should be concerned. These systems are often deployed as internet-facing gateways and handle a large amount of traffic, making them a potential target. The Halo Surface Signal indicates this vulnerability is very likely exposed to the internet, meaning external attackers could potentially reach it.

What is the first step to address CVE-2021-22991?

The first step is to identify if you are running a vulnerable version of F5 BIG-IP. If so, you should consult F5's advisories for specific instructions on updating your software to a fixed version. Applying vendor-supplied patches or updates is the recommended course of action.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified